.htaccess Tips

Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow
allow from a.b.c.d # This is your static IP
deny from all

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Protect WP-Config

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing
Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access

Posted in htaccess